Software Development Process

What Is Credential Stuffing? (and How to Protect Yourself)

 tháng 4 20, 2020     No comments   

A silhouette of a padlock in front of a Zoom logo.
Ink Drop/Shutterstock.com

A total of 500 million Zoom accounts are for sale on the dark web thanks to "credential stuffing." It's a common way for criminals to break into accounts online. Here's what that term actually means and how you can protect yourself.

It Starts With Leaked Password Databases

Attacks against online services are common. Criminals often exploit security flaws in systems to acquire databases of usernames and passwords. Databases of stolen login credentials are often sold online on the dark web, with criminals paying in Bitcoin for the privilege of accessing the database.

Let's say you had an account on the Avast forum, which was breached back in 2014. That account was breached, and criminals may have your username and password on the Avast forum. Avast contacted you and had you change your forum password, so what's the problem?

Unfortunately, the problem is that many people reuse the same passwords on different websites. Let's say your Avast forum login details were "you@example.com" and "AmazingPassword." If you logged into other websites with the same username (your email address) and password, any criminal who acquires your leaked passwords can gain access to those other accounts.

RELATED: What Is the Dark Web?

Credential Stuffing in Action

"Credential stuffing" involves using these databases of leaked login details and trying to log in with them on other online services.

Criminals take large databases of leaked username and password combinations—often millions of login credentials—and try to sign in with them on other websites. Some people reuse the same password on multiple websites, so some will match. This can generally be automated with software, quickly trying many login combinations.

For something so dangerous that sounds so technical, that's all it is—trying already leaked credentials on other services and seeing what works. In other words, "hackers" stuff all those login credentials into the login form and see what happens. Some of them are sure to work.

This is one of the most common ways that attackers "hack" online accounts these days. In 2018 alone, the content delivery network Akamai logged nearly 30 billion credential-stuffing attacks.

RELATED: How Attackers Actually “Hack Accounts” Online and How to Protect Yourself

How to Protect Yourself

Multiple keys next to an open padlock.
Ruslan Grumble/Shutterstock.com

Protecting yourself from credential stuffing is pretty simple and involves following the same password security practices security experts have been recommending for years. There's no magic solution—just good password hygiene. Here's the advice:

  • Avoid Reusing Passwords: Use a unique password for each account you use online. That way, even if your password leaks, it can't be used to sign in to other websites. Attackers can try to stuff your credentials into other login forms, but they won't work.
  • Use a Password Manager: Remembering strong unique passwords is a nearly impossible task if you have accounts on quite a few websites, and almost everyone does. We recommend using a password manager like 1Password (paid) or Bitwarden (free and open-source) to remember your passwords for you. It can even generate those strong passwords from scratch.
  • Enable Two-Factor Authentication: With two-step authentication, you have to provide something else—like a code generated by an app or sent to you via SMS—each time you log in to a website. Even if an attacker has your username and password, they won't be able to sign in to your account if they don't have that code.
  • Get Leaked Password Notifications: With a service like Have I Been Pwned?, you can get a notification when your credentials appear in a leak.

RELATED: How to Check if Your Password Has Been Stolen

How Services Can Protect Against Credential Stuffing

While individuals need to take responsibility for securing their accounts, there are many ways for online services to protect against credential-stuffing attacks.

  • Scan Leaked Databases for User Passwords: Facebook and Netflix have scanned leaked databases for passwords, cross-referencing them against login credentials on their own services. If there's a match, Facebook or Netflix can prompt their own user to change their password. This is a way of beating credential-stuffers to the punch.
  • Offer Two-Factor Authentication: Users should be able to enable two-factor authentication to secure their online accounts. Particularly sensitive services can make this mandatory. They can also have a user click a login verification link in an email to confirm the login request.
  • Require a CAPTCHA: If a login attempt looks strange, a service can require entering a CAPTCHA code displayed in an image or clicking through another form to verify a human—and not a bot—is attempting to sign in.
  • Limit Repeated Login Attempts: Services should attempt to block bots from attempting a large number of sign-in attempts in a short period of time. Modern sophisticated bots may attempt to sign in from multiple IP addresses at once to disguise their credential-stuffing attempts.

Poor password practices—and, to be fair, poorly secured online systems that are often too easy to compromise—make credential stuffing a serious danger to online account security. It's no wonder many companies in the tech industry want to build a more secure world without passwords.

RELATED: The Tech Industry Wants to Kill the Password. Or Does It?



See details

  • Share This:  
  •  Facebook
  •  Twitter
  •  Google+
  •  Stumble
  •  Digg
Gửi email bài đăng nàyBlogThis!Chia sẻ lên XChia sẻ lên Facebook

Related Posts:

  • Microsoft Office 2019 Pro Plus Lifetime License Key for Windows PC License Key Microsoft Office 2019 Pro Plus Lifetime License Key for Windows PC License Key Price : 4.99 Ends on : 4 weeks View on eBay … Read More
  • ✅ Windows 10 Pro key Professional 32/64 bit Genuine Activation License Code ✅ Windows 10 Pro key Professional 32/64 bit Genuine Activation License Code Price : 5.48 Ends on : 4 weeks View on eBay … Read More
  • INSTANT WINDOWS 10 PROFESSIONAL PRO KEY 32 64 BIT ACTIVATION LICENSE PRODUCT KEY INSTANT WINDOWS 10 PROFESSIONAL PRO KEY 32 64 BIT ACTIVATION LICENSE PRODUCT KEY Price : 4.99 Ends on : 2 weeks View on eBay … Read More
  • Microsoft Office 365 2020 Pro Plus For 5 Devices PC & Mac 5TB ✅ Trusted Seller ✅ Microsoft Office 365 2020 Pro Plus For 5 Devices PC & Mac 5TB ✅ Trusted Seller ✅ Price : 1.95 Ends on : 4 weeks View on eBa… Read More
  • Windows 10 Pro Key Licence Win 10 Pro Professional 64 Bit Product Key Full ESD Windows 10 Pro Key Licence Win 10 Pro Professional 64 Bit Product Key Full ESD Price : 4.99 Ends on : 1 week View on eBay … Read More
Bài đăng Mới hơn Bài đăng Cũ hơn Trang chủ

0 nhận xét:

Đăng nhận xét

  • Gun Digest Book of the .22 Rifle
  • The Secret Relationship Between Blacks and Jews Volume 1 /2 /3 Physical Books!
  • The Little Book of Hygge: Danish Secrets to Happy Living [The Happiness Institut
  • Adult Color By Numbers Coloring Book: Easy Large Print Mega Jumbo Coloring ...
  • Herbs - A Concise Guide In Colour by Jirasek, Vaclay Hardback Book The Fast Free

Popular Posts

  • Smartphone Using At The Supermarket Can Add 41% To Your Shopping Bill
    It is safe to say that you are always looking at your telephone when you're and about? Do you experience difficulty opposing the bait of...
  • Forgot to post
    sorry travel day.  My bad! 
  • Windows 7 All in One ISO 32-64 Bit Free Download
    Windows 7 all in one ISO 32-64 bit genuine free is now available to download from the secure links provided below. The download comes w...
  • November Technology Updates
    So far, November has been a busy month of technology integration in all grade levels.  Teachers and students use a wide variety of devices i...
  • Check Out The Science Behind Finding North Korea's Nuclear Weapons
    Arrangements over denuclearization of North Korea fallen at the beginning of today after North Korean despot Kim Jong Un demanded the United...
  • Morning Charts 04/30/2019 SPX
    Early post
  • Criteria for Evaluating Web Tools and Apps
    I'm often getting asked what my criteria are for choosing the tools, apps and resources that I feature on my blogs and in my teaching an...
  • Should You Use Hubitat to Automate Your Smarthome?
    The first step in building a smarthome is often choosing a hub, and there are many options. Hubitat is a unique cloud-independent hub. It...
  • Microsoft Staff Don't Use HoloLens For War
    Somewhere around 50 Microsoft representatives have requested the organization pull out of an arrangement with the US military to give expand...
  • Morning Charts 03/19/2019 SPX
    RC wants me to bring back the STB bracket challenge so look for a link to that later today and again tomorrow morning. If you’ve never heard...

Bài đăng nổi bật

How To Swim and Dive in ‘Animal Crossing: New Horizons’

Nintendo Animal Crossing: New Horizons has received a free update that allows players to swim and dive for sea creatures for the firs...



Work freely with Fiverr

Work freely with Fiverr

Money with Adfly

Money with Adfly
Được tạo bởi Blogger.

Make Money MyLead

Make Money MyLead

TẢI PHIM 18+ VỀ ĐIỆN THOẠI Ở ĐÂY >>

Copyright © 2025 Software Development Process | Powered by Blogger
Design by Hardeep Asrani | Blogger Theme by NewBloggerThemes.com | Distributed By Gooyaabi Templates